Anomaly detection for Windchill Log4j exploitation (CVE-2026-4681) focusing on the validation probe GW_READY_OK. The analytic surfaces Windchill MethodServer log4j events containing the probe string run?c=echo%20GW_READY_OK, used by attackers to confirm reachability of a staged gateway component before issuing operating-system commands via the same c= parameter. Detection targets log entries from the Windchill web application context, specifically loggers wt.servlet.ServletRequestMonitor.request and wt.method.MethodContextMonitor.contexts.servletRequest, and parses the payload to extract event vectors such as timestamp, source IP, HTTP path, and query parameters. It normalizes and decodes query strings, then isolates the c parameter and matches it against the value echo GW_READY_OK (URL-decoded). When a match is found, the rule categorizes the activity as gw_ready_ok_probe, records the source IP, and aggregates results by source and parameter value. The analytic is tied to the Windchill and FlexPLM exploitation narrative (PTC Windchill Exploitation) and attaches metadata including CVE-2026-4681, MITRE techniques T1190 (Exploit Public-Facing) and T1059 (Command and Scripting Interpreter). Data sources are Windchill logs (log4j), and the rule is applicable to Web/Application contexts, with Splunk as the product and a network security domain focus. False positives are expected to be rare and mostly attributable to deliberate testing or vendor diagnostics that generate GW_READY_OK-like probes.